The safeguarding of personal data found on electronic devices lost or misplaced by customers is an increasingly significant topic in the legal community. According to a NetDiligence 2013 study of insurance claims, lost, misplaced or stolen electronic devices were the number one source of insurance claims, which means sooner or later your business will come across a lost device in the normal course of conducting your activities. The information presented here will be of utmost relevance to any entity that maintains a lost and found department including public arenas, convention facilities, amusement parks, cab companies and similar businesses. So what happens to the found item?
If you have proper policies and training in place, all found items should immediately be turned in to management. At this stage you will likely attempt to ascertain the ownership of the item: in the case of a hotel for example, you will check on who was the last person who stayed in a particular room, or if this is impossible you would attempt to turn on the device for clues to the owner’s identity. If no indications of ownership are to be found on or inside the device, you will most likely leave the item in your general “lost and found” designated area, and wait for the owner to return for the statutorily prescribed time period. What if the owner never returns?
At this stage state laws will generally apply. For example, in Texas, the law deems an inn keeper a “gratuitous bailee”, meaning that the business is not being paid for the safekeeping of property, and need only hold on to found items for one week, after which the inn keeper may dispose of the items at its discretion without liability. Although state law may allow such disposal after some specified time period, the business is still not off the hook due to personal data safekeeping requirements imposed by the federal government, specifically the Federal Trade Commission, which may also open the doors to monetary liability in civil court as discussed below. It still goes without saying, that a business must be well versed in its own state’s electronic information safekeeping requirements, because it is more likely that a state attorney general will go after a business that fails to secure sensitive personal information, than the federal government.
The FTC has promulgated a number of rules and standards for financial and nonfinancial institutions to safeguard information, called the Safeguards Rule. These regulations apply to any company that in the normal course of business handles customer information which is in any way related to finance, and includes check-cashing businesses, credit card companies, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services, among others. The current view in academia is that these mandates will be applied to all businesses across the board in the near future. Certainly, if your company works with another entity or entities to which the Safeguards Rule applies, that company or companies may demand that you implement safeguards sufficient to ensure that your data is securely stored and properly subsequently transferred to that entity. It is simply good business practice to stay ahead of the curve and comply with the rule no matter whether you are covered directly or indirectly.
The rule requires the implementation of a comprehensive security program particularly suitable to an organization's needs. Organizations covered by these regulations must assess the vulnerabilities of their information technology systems, estimate the likelihood that injurious scenarios may occur, and take appropriate steps to mitigate those risks. Compliance with these regulations is currently low, and enforcement by the FTC occurs when a threshold of complaints is received. Enforcement is also referred out to state agencies, and all kinds of companies have paid hefty fines for failure to secure sensitive personal data. As data breach scrutiny continues to be a major topic of concern for individuals, credit card companies, and other vendors that are necessary to continue conducting business activity, potential liability must be addressed proactively through the methods described further below.
Tort liability in civil courts is currently the main method of enforcement after a data breach. This means, that if personal information falls into the wrong hands and an injury occurs, a business will consequently be sued by the injured person(s) as the responsible party. The main cause of action used for such claims is negligence, within which a “duty to exercise a reasonable standard of care” by the defendant business will be assessed. Although there are numerous factors to consider in negligence actions, there is some consensus that the FTC Safeguards Rule mentioned above should be considered as the baseline for an organization attempting to avoid liability. In other words, if no measures have been taken to protect personal information, then a business may be deemed not have acted reasonably, and liability may therefore follow. Taking direct action is undoubtedly the best policy.
The current state of the law, which is a loose and inefficient network of state and federal mandates, is leading toward various industries attempting to police themselves in order to avoid further burdensome and confusing government intervention. This means that if any business wishes to avoid regulatory scrutiny and potential civil liability then it must take proactive action to prevent sensitive data access to unauthorized parties. The best method of implementing a comprehensive strategy, as mandated by the FTC, to secure sensitive data is to engage a third party professional to ensure that data on any “lost and found” electronic device is fully and totally removed before the device is disposed of. The 911 Cell Phone Bank is an organization that efficiently and safely wipes all data from any electronic device, thereby ensuring that no data breach may occur. Engaging a company such as this is essential to any business that regularly comes in contact with lost or misplaced customer electronics, because significant risks are present in the event of failure to properly dispose of such devices.